Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ("Agreement") is entered into between MDHex Inc. ("Covered Entity") and [Your Organization Name] ("Business Associate"). WHEREAS, Covered Entity and Business Associate wish to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations; NOW, THEREFORE, in consideration of the mutual covenants and agreements herein contained, the parties agree as follows: 1. DEFINITIONS 1.1 "Protected Health Information" or "PHI" has the same meaning as set forth in 45 CFR § 160.103. 1.2 "Individual" means the person who is the subject of PHI. 1.3 "Required by Law" has the same meaning as set forth in 45 CFR § 164.103. 1.4 "Secretary" means the Secretary of the Department of Health and Human Services or their designee. 2. PERMITTED USES AND DISCLOSURES 2.1 Business Associate may use or disclose PHI only as permitted or required by this Agreement or as Required by Law. 2.2 Business Associate may use PHI for proper management and administration of Business Associate or to carry out legal responsibilities. 2.3 Business Associate may disclose PHI for proper management and administration, provided such disclosure is Required by Law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially. 3. OBLIGATIONS OF BUSINESS ASSOCIATE 3.1 Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. 3.2 Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI. 3.3 Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI, of which it becomes aware. 3.4 Business Associate shall ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate. 3.5 Business Associate shall make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524. 3.6 Business Associate shall make any amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR § 164.526. 3.7 Business Associate shall make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528. 3.8 Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with HIPAA. 4. TERM AND TERMINATION 4.1 This Agreement shall be effective as of the date of acceptance and shall continue until all PHI provided by Covered Entity is destroyed or returned to Covered Entity. 4.2 Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures. 5. MISCELLANEOUS 5.1 This Agreement shall be governed by and construed in accordance with applicable federal law and regulations. 5.2 The parties agree to take such action as is necessary to amend this Agreement to comply with changes in federal law and regulations relating to PHI. IN WITNESS WHEREOF, the parties have executed this Agreement as of the date of acceptance below. Covered Entity: MDHex Inc. Business Associate: [Your Organization Name]